Not all virtual machines (VMs) are created equal. Some VMs have special security related functions that allow them exclusive access to data for some period of time. For example, an embedded VM used as a network security appliance (e.g., a firewall, VPN, intrusion detection system (IDS), intrusion prevention systems (IPS), etc.) may require exclusive access to network packet data after a guest VM creates it, but before it is given to a physical network device. As the packet transitions through the embedded VM, access from the originating guest VM needs to be restricted until after the embedded VM has completed its operations and/or the packet has been transmitted by the network interface device, for example.
In an example where the embedded VM is used as a firewall, the embedded VM may examine a guest VM's packet data. Here, if the embedded VM determines that the packet data conforms to administrative policy, the packet is allowed to continue onto the network interface device. Prior to the packet being sent by the network interface device to the network, malicious code in the guest VM may change the contents of the packet to something that does not conform to administrative policy, thus defeating the security function of the embedded VM.
To help remedy the above issue regarding malicious code, several solutions have been proposed. One solution involves having the embedded VM copy the packet contents from the guest VM memory to memory that is only accessible by the embedded VM. However, such copies of content can be expensive. Another solution involves having the embedded VM request to the virtual machine monitor (VMM) that a particular page or memory region be mapped (or flipped) into its address space for exclusive access by the embedded VM. Unfortunately, this VMM interaction by the embedded VM may also be expensive.